Commentary

My SingPass obstacle course

Three months ago, the Government upgraded the SingPass system to make it safer for residents to access online government services.

SingPass is a password system set up for all Singapore residents in 2003. Users enter a password with their NRIC numbers to access over 200 e-government services, at agencies like the Central Provident Fund (CPF) Board and Inland Revenue Authority of Singapore.

But like other simple password schemes, SingPass is prone to security vulnerabilities when users adopt passwords that are easy to remember, like birth dates, which hackers can easily find out. Using one's NRIC number as a username is also insecure as the string of seven numbers is predictable.

The new SingPass system plugs these gaps with a new security feature - a one-time password (OTP) commonly used in e-banking. For the first time, it also lets SingPass users change to a new username.

The new SingPass system plugs these gaps with a new security feature - a one-time password (OTP) commonly used in e-banking. For the first time, it also lets SingPass users change to a new username.

The changes are timely and will be welcomed by those who value privacy. But I wish the registration process for the new security features was simpler.

The changes are timely and will be welcomed by those who value privacy. But I wish the registration process for the new security features was simpler. When I tried it, I was left frustrated, which in turn delayed my completion.

The first step in the process involves updating one's mobile number or e-mail address on the SingPass website.

Users are then taken to the website of Assurity to indicate if they wish to receive the OTP via SMS, or use a calculator-like token. Assurity is the Infocomm Development Authority (IDA) subsidiary that supplies the OTP solution. After that, it is a wait of up to five days to receive a PIN by snail mail.

The second step involves entering the mailed PIN on Assurity's website to activate the OTP feature selected earlier. At this stage, users are prompted to create a new username and password - which I realised, much later, I had mistaken for my new SingPass ID and password. The last step is to link the OTP feature to the existing SingPass account on SingPass' website.

Sounds confusing? You bet.

For one thing, my initial enthusiasm fizzled out on learning I couldn't proceed until the PIN arrived in the mail. When it did, the mail was left unopened for days. Then, I carried it around in my bag for two more months until it became dog-eared.

Last week, I activated the OTP feature using the mailer PIN. I also created a new username and password on Assurity's website.

Finally, it was time to test my new SingPass credentials, so I tried to access my CPF account.The moment of truth was when the message flashed: "You have entered an invalid SingPass ID or Password".

So, here's what I found:

I missed the last step, which required me to link the OTP feature to my existing SingPass account. This has to be done on SingPass' website. To change the SingPass ID, you need to go to the SingPass website too, and look for the Update Account Details tab.

Surely, IDA - the government agency behind the SingPass revamp - can whittle down the number of steps and put everything on a single website.

I also wish someone could explain why there is a need to create a username and password on Assurity's website.

And, can't the OTP feature be automatically linked to one's SingPass account on activation? The third step is redundant.

I'm not sure how many people have activated and linked the OTP feature to their SingPass accounts. I wasn't part of that number until last week, and certainly not without being put through an obstacle course.

A version of this article appeared in the print edition of The Straits Times on September 23, 2015, with the headline 'My SingPass obstacle course'. Print Edition | Subscribe